Internal error, not hacking, caused bank glitch
BDO Transaction Banking Group SVP Tomas Victor Mendoza showing a deep insert skimmer, a more complex skimming device used on ATM machines, during the Committee on Banks and Financial Institutions and Currencies an Committee on Finance Joint inquiry into BPI and BDO’s recent electronic banking glitches. Inquirer/Rillon
After extensive explanations at the opening of a Senate hearing on the glitches and theft that hit Bank of the Philippine Islands (BPI) and Banco De Oro (BDO), Sen. Francis Escudero on Wednesday said there was no reason to label the incidents as hacking or a terrorist attack, noting that the Philippine banking system is one of the strongest in Southeast Asia.
But Escudero, chair of the Senate Committee on Banks, Financial Institutions and Currencies, added he was looking at pushing a legislation that would address the “transnational implications” of hacking and “skimming.”
“Hacking is a transnational [crime] so what we want to look at is if there’s a possible legislation to make [hackers] accountable here in the country even if they are outside the country,” Escudero later told reporters.
The committee started its inquiry into the technical glitch that caused unauthorized transactions in the accounts of some BPI depositors two weeks ago and the latest incidents of “skimming” affecting several BDO automated teller machines.
The BDO officials ruled out hacking as the cause of the unauthorized ATM withdrawals that were reported by some cardholders.
‘Lapse in judgment’
BPI executives said “a lapse in judgment” by a programmer and not a hack job caused the glitch at the bank on June 6, but they told the committee that no client had lost money.
They said BPI officials responded to correct the situation in 37 hours, a response time which a Bangko Sentral ng Pilipinas (BSP) said was “fairly acceptable.”
The BDO executives sought to assure the panel that the bank was taking measures to protect its clients, which include the migration to the EMV (Europay, MasterCard, Visa) system from the 50-year-old magnetic stripe technology. The shift will be completed by 2018, they said.
“It’s not hacking per se, but fraud that attempts to steal,” said Peter Magdame, a BDO vice president.
95 skimming cases
In skimming, culprits steal card credentials — usually using devices attached to ATM machines — and use them for unauthorized withdrawals.
BDO executive vice president Edwin Reyes said that the recent skimming cases involved three separate events that came to the bank’s attention and affected seven ATMs in three locations.
“There were 95 cases and as a result, we disabled the cards that have been compromised,” said Reyes, adding “there was no cause for worry.”
Tomas Victor Mendoza, BDO senior vice president, also showed how skimming was done using actual devices—a PIN pad overlay and deep insert skimmer—embedded in ATMs and how this had evolved over time.
Mendoza said while all banks were investing heavily in technology to counter fraud, unscrupulous people were also continuously updating devices to steal from bank depositors, describing the challenge as a “mutual escalation.”
“We come out with a new technology but tomorrow fraudsters come in with a better technology. It’s an arms race,” he said.
EMV system
But the EMV system would help protect bank cardholders from theft, particularly due to the liability shift, said Melchor Labasan, deputy director of the BSP’s core IT specialist group.
“There is no evidence that the EMV can be compromised. But it’s not a silver bullet so banks must find other mechanisms to protect clients… we need to always fortify our security defenses,” Labasan added.
Cesar Consing, BPI president and chief executive officer, said what happened on June 6 was a “data processing error” that caused the “misposting in bank accounts” of 1.5 million of the bank’s 8 million customers.
“To fix the problem, we had to take down our electronic channels, services related to ATM cards, mobile and internet banking,” Consing said.
“The investigation showed it was a case of human error, not hacking. We also informed our regulators there was no breach of data privacy,” he added.
‘Impaired’ transactions
Joseph Albert Gotuaco, BPI executive vice president and chief financial officer, said what was affected from June 7 to 8 was the ATM cash acceptance machines, as well as online and mobile banking, and this “impaired” 500,000 to 600,000 transactions on those two days.
Ramon Jocson, BPI executive vice president, said a female programmer, who was not identified, was responsible for the glitch.
“She owned up to the mistake,” Jocson said, adding that the specialist had been reassigned and her access to her system had been blocked pending the bank’s investigation.
He said he had determined that the bank’s system had not been hacked because there had been no traffic of “escalated privileges” in the network, which was confirmed by service providers.
Assistant Governor Chuchi Fonacier of the BSP said investigation of the BPI glitch was continuing but said so far there was no evidence of “hacking or computer glitches, just human error.”
